In modern cloud native environments, virtual machines are typically deployed through automation and are operated as stateless entities. The Cloud Native Computing Foundation defines cloud native technologies as involving building and running scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Example cloud native technologies include containers, service meshes, microservices, immutable infrastructure, and declarative application programming interface (API).
Cloud native virtual machines (VMs) are designed to run containers directly or to run stateless workloads in support of containerized applications, are dynamically deployed and orchestrated with minimal human involvement, and are focused on hosting and running microservices. Such cloud native VMs may be targets for attackers seeking to disrupt businesses or steal data.
Existing solutions for protecting containers or light VM applications typically use events generated by the containers or applications to analyze potential security threats. Such events may be processed by a security information and events management (SIEM) system or distributed logging framework.
SIEM systems collect and store log data collected from various devices and hosts. Forensic analysis of this log data allows for identifying security breaches and what systems were compromised by the breaches. Centrally accessible log data therefore allows for forensically analyzing an infrastructure as a whole rather than as a set of individual systems.
Existing solutions for providing runtime security defense typically generate a high number of events to be processed by the SIEM system, distributed logging framework, and the like. To this end, such solutions may send aggregated events combined and saved in a profile. However, even when aggregated, the high number of events is not practical to send over a network to the SIEM system or distributed logging framework because of the amount of network bandwidth, storage, and CPU. In particular, problems with network bandwidth may be excessive when containers or applications are implemented in cloud environments.
Additionally, for existing solutions to understand how an event correlates with other events, all entity index data must be stored. As a result, existing solutions demand a large amount of memory dedicated to events data. With existing solutions, this memory use cannot be reduced without removing the context of these correlations.
It would therefore be advantageous to provide a solution that would overcome the challenges noted above.